General

  • Target

    SecuriteInfo.com.Heur.15222.18660

  • Size

    192KB

  • Sample

    210309-jz8l9njecx

  • MD5

    d3c7cfb10bf9afdd54b21b3a81aa4f88

  • SHA1

    33ae344b6ef9b9af6ce3028d823a303045f1d902

  • SHA256

    dcebef598b38647dc3f96a48d8bbddc3f4b1b45a92484ec15f4e3686ba559fcc

  • SHA512

    d73e2e1a0626443b2d14478910e23ac146d9b68ff89e22dcbc56a504815e7b4bafe6e207d160dfbf487c7b49dfe27cc38072f61c2ba97bcfb6adde3dff8f3d8b

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

http://gogorv.net/parseopml/intel.php

Extracted

Family

trickbot

Version

100013

Botnet

rob72

C2

103.225.138.94:449

122.2.28.70:449

123.200.26.246:449

131.255.106.152:449

142.112.79.223:449

154.126.176.30:449

180.92.238.186:449

187.20.217.129:449

201.20.118.122:449

202.91.41.138:449

95.210.118.90:449

Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      SecuriteInfo.com.Heur.15222.18660

    • Size

      192KB

    • MD5

      d3c7cfb10bf9afdd54b21b3a81aa4f88

    • SHA1

      33ae344b6ef9b9af6ce3028d823a303045f1d902

    • SHA256

      dcebef598b38647dc3f96a48d8bbddc3f4b1b45a92484ec15f4e3686ba559fcc

    • SHA512

      d73e2e1a0626443b2d14478910e23ac146d9b68ff89e22dcbc56a504815e7b4bafe6e207d160dfbf487c7b49dfe27cc38072f61c2ba97bcfb6adde3dff8f3d8b

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Templ.dll packer

      Detects Templ.dll packer which usually loads Trickbot.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks